TOTP (Time-Based One-Time Password)

TOTP (RFC 6238) generates a 6-digit code that changes every 30 seconds, derived from a shared secret and the current time. The server and your authenticator app both compute the code from the same secret and time; they should match within a small window. TOTP is a stronger second factor than SMS, which is vulnerable to SIM-swap attacks. It is weaker than hardware security keys (YubiKey, FIDO2) but more practical because every service supports it. Authenticator apps that store the TOTP secrets locally: Aegis Authenticator (Android), Ente Auth (cross-platform), 2FAS (cross-platform), KeePassXC (desktop), Strongbox/KeePassDX (mobile, KeePass-compatible). Avoid Google Authenticator and Microsoft Authenticator if you can — both have problematic backup-and-sync stories that have caused users to lose access.